Durban - Personal information of more than half of South Africa’s population has been compromised in what has been described as the largest cyber hacking scandal the country has seen.
The leaking of information has raised fears that it could be misused for “phishing” scams and identify theft.
On Wednesday a file dated April 2015 with more than 30 million records and 2.2 million e-mails was found published to a publicly accessible web server by Troy Hunt, an Australian web security expert and Microsoft regional director.
The 27GB back-up file was said to have been sent to www.haveibeenpwned.com, a data breach search service Hunt created.
Let’s not call this a “hack” folks. Someone in South Africa literally published their database of the entire country to the public internet. https://t.co/uvP8fLvqXg— Troy Hunt (@troyhunt) October 18, 2017
According to the website, when analysed, the file had personal data of more than 33 million living and deceased South Africans, including names, physical addresses, phone numbers, e-mail addresses, employers, ethnicities, genders, IDs, home ownership statuses, job titles.
According to Verlie Oosthuizen, a partner and head of social media at Shepstone & Wylie Attorneys, this information could be used for “phishing” scams. “They extract further information out of you with the possibility of, for example, cracking passwords and codes to defraud bank accounts or other criminal activities.
“Identity theft and opening up retail accounts, and conning people into paying money into accounts with the possibility or promise of winning a huge prize are two examples of the types of activities that can happen once they have personal information about you,” she said.
Just last month, personal information of 140 million Americans was compromised in a breach of a credit bureau.
Professor Basie von Solms, director of the Centre for Cyber Security at the University of Johannesburg, said “massive breaches” were becoming “unsettlingly normal”, which was “unbelievably bad and very serious”. “It proves the fact that securing any cyber system is unbelievably complex. It’s impossible - in cyberspace - to 100% protect your data but many companies are extremely lax.
“From statistics we’ve seen that particularly small to medium enterprises just don’t have the money or expertise, and cyber criminals are getting more and more sophisticated. We are fighting a losing battle, hackers are always one step ahead,” said Von Solms.
It did not help that companies and government were using cyberspace more to hold customer data.
The public was also contributing to the cyber footprint with - among other things and most worryingly - social media.
Von Solms blamed the government entity whose mandate it was to protect the public’s personal information on cyberspace, saying it was not doing enough.
However, the National Cybersecurity Hub said it had already “established some facts” since the start of their investigation on Tuesday. Siya Qoza, spokesperson for the Department of Telecommunications and Postal Services - under which the hub falls - said a breach of this magnitude was of great concern.
“They are now looking at what else needs to be done to secure the information and bring those responsible for the compromise to book,” said Qoza.
“There are two types of people who do this. One group breaches security systems just to show that they are able to do it, they don’t usually use the information for devious means. The other steals information, then uses it to bankrupt people or enrich themselves,” said Qoza.
He was of the opinion that this hacking was by the former, due to the large volume of information obtained. But Von Solms, cautioned against complacency, saying even if the hackers were doing it “for show”, cyber criminals were lining up to buy the information for malicious purposes.
As for catching the hacker or hackers, Von Solms was not hopeful, saying it was likely to be a hacker in some foreign country, out of the reach of South African law-enforcement authorities.
The hub might have better luck identifying the source of the information once the Protection of Personal Information Act is enacted, as it can lead to jail time and/or fines as a consequence of companies failing to protect customer information.
“We could also see class actions, like in America, where people are claiming for the loss of privacy and electronic identity,” he said.